Standardizing on Windows 10: Our Advice for Enhancing Security in Large Deployments

“Gartner projects that half of enterprises will have started Windows 10 deployments by January 2017, with many enterprises planning to begin pilots for Windows 10 in the first half of 2016 and broadening their deployments in the latter part of the year,” according to an article in Information Week.

This aligns with trends in managing enterprise desktop computing that are striving to keep up with diverse business requirements while fighting a security landscape that sees hundreds of Indicators of Compromise (IOC) every day.

The good news is Windows 10 comes with a lot of promises for enterprise and government customers, particularly when it comes to security (read our take from Nov 2015). One of the major advances is enhancing OS security. Microsoft also notably added Virtualization-Based Security, or VBS, for advanced security built-in in the OS.

Microsoft is working to improve security.

Our CTO, Simon Crosby discussed new security enhancements with Dark Reading, explaining that Microsoft is increasingly moving down the path using additional hardware features on a device to do security. For instance, Microsoft provides hardware-assisted security technologies in the new feature called Device Guard, which ensures devices are booted securely, whitelists kernel code and offers credential protection and biometric authentication (read more).

The primary benefit of Windows 10 is security, but few organizations can contemplate the complex and labor-intensive task of upgrading existing PCs or shoulder the cost of a hardware refresh just to protect credentials and benefit from kernel whitelisting. This means the adoption of Windows 10 might be stalled pending a hardware refresh with OEM configurations for Secure Boot and Windows 10 with virtualization-based security.

Our security guidance for Win 10 adopters.

At Black Hat in early August, Bromium researcher Rafal Wojtczuk broke down these new capabilities and provided guidance to large enterprises and federal agencies (such as DoD), who are planning to “standardize” on Win10 in the months ahead.

CG leverages virtualization for the first time in a commodity OS to provide security. This feature was designed to tackle attacks popularly known as “pass the hash” attacks. This form of attack has plagued Windows OS for about 20 years and is one of the primary vectors used for lateral movement by attackers. In this attack the attacker can simply reuse the stored “password hash” of the user without the need to “crack” the password. In our opinion, enterprises have spent significant amounts of time and money to prepare and combat this attack vector.

What we found: CG has limitations which can still be leveraged to run an attack with effects similar to pass the hash. We were able to reuse a logged-in user’s credentials and authenticate with a remote server, even after the user has logged out – thus achieving the primary goal of the classic pass the hash attack, with CG turned on.

Kernel code integrity can be bypassed.

Another security enhancement in Win10 is that it implements kernel code integrity to mitigate what kernel exploits can achieve.

What we found: While conducting our research, we discovered a mitigation bypass allowing a kernel exploit to run arbitrary unsigned code in kernel context. This bypass helps attackers to Trojan the OS kernel and install rootkits on the victim machine. Note: Bromium notified Microsoft and this issue has been patched by MS16-066 bulletin.

Advanced hacking Virtualization-Based Security (VBS).

Since VBS is a brand new capability, we wanted to better understand it, so we reviewed several attack vectors ranging from its reliance on UEFI (Unified Extensible Firmware Interface) – a specification that defines a software interface between an operating system and platform firmware and exploitation leveraging SMM (System Management Mode) vulnerabilities. These type of attacks are well documented by researchers in the security community (e.g.: thinkpwn).

What we found: We were able to completely bypass VBS leveraging these advanced attack vectors.

Ransomware threats are not addressed.

Ransomware has been in the news for the past few years and enterprise and users alike are paying millions of dollars to their attackers to regain control of their systems.

What we found: Win10 doesn’t provide any capability besides standard OS features to thwart this menace. Users are on their own to combat this malware family.

Windows 10 security comes bundled with a lot of promise. Our analysis concludes that indeed it’s a path forward for enabling advanced security built into the operating system. Notably the OS needs specific hardware features for some of the major capabilities to work, which is the case with Virtualization-Based Security. However, based on our research, several of these capabilities fall short of completely solving some of the major challenges that have been a problem for decades.